Skip to Content
How-to guidesHow-to guidesManage anomalies

Review and resolve anomalies

/anomalies is where the hourly anomaly scanner surfaces things worth a second look — scope creep, off-hours activity, high denial rates, an agent suddenly using a platform it’s never touched.

Available on Team and Enterprise.

Page layout

  • Title: Security Anomalies
  • Subtitle: “Detected by the hourly anomaly scanner. Auto-refreshes every 60s.”
  • Badge: {N} active” (red) when there’s anything unresolved

Filters

  • Tabs: Active (default) / Resolved / All
  • Severity: All severities / Critical / Warning / Info
  • Type: All types / Scope creep / New platform access / High denial rate / Off-hours activity

What each row shows

ColumnMeaning
SeverityCRITICAL (red), WARNING (amber), INFO (blue)
TypeThe kind of anomaly
AgentWhich agent
PlatformWhich platform (if applicable)
Action takennone, FLAGGED, or AUTO-SUSPENDED
DetectedWhen the scanner caught it
StatusActive (amber) or Resolved {timestamp} (green)
ResolveButton on active rows only

What “Action taken” means

The scanner can do more than flag — for critical-severity anomalies it can suspend the agent automatically:

  • none — recorded for visibility, no action taken
  • FLAGGED — surfaced in this list and via push notification, but the agent keeps running
  • AUTO-SUSPENDED — agent is now suspended and won’t make calls until you reactivate it

The trigger thresholds depend on your account’s Anomaly sensitivity setting (Settings → Anomaly sensitivity → Low / Medium / High).

Resolving

Click Resolve (green) on an active row. The button becomes “Resolving…” then the row moves to the Resolved tab with a timestamp and your owner ID as the resolver.

Resolution is a manual acknowledgement — “I’ve looked at this, here’s what I think”. It doesn’t undo the auto-action. If the scanner auto-suspended the agent, you’ll also need to Reactivate it from /agents/:id.

When to investigate first

For any CRITICAL severity or AUTO-SUSPENDED action — don’t resolve without looking. Click into the agent and review its audit log around the detection time. Common patterns:

  • Repeated denials on a single scope → the agent is trying something it shouldn’t, OR the upstream has expired (check /platforms)
  • A spike in volume during off-hours → either a useful automation you forgot about, or something running you didn’t intend
  • Sudden access to a new platform → the agent gained a scope it shouldn’t have, OR you just granted it and the scanner is being noisy

Empty state

When the active queue is empty:

“No active anomalies — your agents are behaving normally.”

That’s a good day.

Next

Enable push notificationsRead agent self-reports